Ceph » mgr » Dashboard

Any user with the viewer role can send any query to the Prometheus data source through Grafana.

According to Prometheus' security model, neither the data which could be accessed nor the access to Prometheus itself is considered an issue, though malicious actions might be possible and enhanced security might be a requirement in some cases.

It is presumed that untrusted users have access to the Prometheus HTTP endpoint and logs.
-- https://prometheus.io/docs/operating/security/#prometheus

By default though, this access is limited to read-only operations (provided the admin API isn't enabled, which isn't the case in our default deployment). Measures to mitigate against Denial of Service attacks are built in Prometheus itself, though it can not be guaranteed to prevent all attacks. Secrets are not exposed.

Grafana enables users of its enterprise version to control which queries can be send to Prometheus, the community version does not include such options.

-- https://grafana.com/docs/grafana/latest/installation/security/#limit-viewer-query-permissions

A possible solution would be to implement a reverse proxy in Ceph Dashboard, which will be capable of filtering queries before they are relayed to Grafana. This solution should not replace the current integration with Grafana, where Grafana is enabled to allow anonymous access, but offered as additional option.

By implementing such a proxy, the benefit of being able to access Grafana directly and outside of Ceph Dashboard will be lost, as Grafana will need to be configured to run behind a reverse proxy.

By implementing this solution, we will need to specify which operations can be performed by a Ceph Dashboard user (by its group). This involves continues maintenance.

Please also note that Prometheus' HTTP API in our current deployments is not protected from being accessed and that restrictions to access Prometheus' API should probably be resolved before this issue needs to be fixed.